Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

1,060 Comments

  1. Tomi Engdahl says:

    Wannacry or Conficker: How to prevent worms in real life
    http://www.ism3.com/node/89

    There is plenty of published info about Wannacry; I am not replicating any here. How can your company avoid being hit? It is simple and it is complicated. First we need to understand why companies don’t apply patches:

    1. They don’t know it should be done.
    2. They feel they are too busy to do it.
    3. They feel it creates issues, with no obvious benefit.
    4. They don’t do it often enough.
    5. There are no immediate drawbacks of stopping to patch, eventually it becomes normal not to do it.
    6. The people responsible to do it move on to new jobs, and the new ones don’t get promotions or are rewarded for doing it. Why bother?

    Preventing worms is a team effort between the Systems teams and Security teams. Security teams are responsible for monitoring new vulnerabilities and patches, and handing over that information to the System team.

    Reply
  2. Tomi Engdahl says:

    Julian Assange will still be arrested if he leaves Ecuadorian embassy in London, Met Police confirms
    Separate bail warrant stands after Sweden drops sexual assault investigation
    http://www.independent.co.uk/news/uk/home-news/julian-assange-arrest-leave-ecuador-embassy-metropolitan-police-london-wikileaks-sweden-drop-a7744231.html

    Julian Assange will be arrested if he leaves the Ecuadorian embassy despite Sweden dropping its sexual assault investigation, British police have confirmed.

    A spokesperson for the Metropolitan Police said that despite Sweden’s European arrest warrant for the WikiLeaks founder being lifted, he was under a separate warrant for skipping bail.

    “Westminster Magistrates’ Court issued a warrant for the arrest of Julian Assange following him failing to surrender to the court on the 29 June 2012,” a statement said.

    “The Metropolitan Police Service is obliged to execute that warrant should he leave the Embassy.”

    “Now that the situation has changed and the Swedish authorities have discontinued their investigation into that matter, Mr Assange remains wanted for a much less serious offence,” a spokesperson said.

    Reply
  3. Tomi Engdahl says:

    Paul Sawers / VentureBeat:
    Restaurant search and food delivery service Zomato hacked, says 17M email addresses and hashed passwords were stolen

    Restaurant search service Zomato hacked, says 17 million customer email addresses and passwords stolen
    https://venturebeat.com/2017/05/18/restaurant-search-service-zomato-hacked-says-17-million-customer-email-addresses-and-passwords-stolen/

    Restaurant search service Zomato is the latest in a long line of companies to be hacked. The company has revealed that millions of its customer accounts were accessed, with email addresses and hashed passwords stolen.

    Zomato, which claims 120 million users each month, said that around 17 million accounts are affected, though it has asserted that financial information and other personal details remain safe. The company also said that the passwords should be safe because that they were hashed, meaning they are essentially a random string of characters that bear no relation to the actual password they conceal.

    Reply
  4. Tomi Engdahl says:

    Cybersecurity risk spikes with mingling of operations and IT technologies
    Resources available to learn about cybersecurity frameworks; receive alerts, advisories and reports.
    http://www.controleng.com/single-article/cybersecurity-risk-spikes-with-mingling-of-operations-and-it-technologies/bbb3537f376de9e28d66383261d7a199.html?OCVALIDATE&email=tomi.engdahl@netcontrol.fi&ocid=101781

    The growing threat

    The threat is not hypothetical. The global energy industry has already experienced a number of significant incidents. Remote cybersecurity attacks were reportedly used to cause the 2008 explosion of a pipeline in Turkey. In December 2015, the first successful disruption of a public energy grid occurred in Ukraine when attackers used a spear-phishing campaign to obtain administrator credentials, then remotely accessed the SCADA network and halted electricity distribution. The resulting blackouts affected more than 230,000 customers.

    nformation sources

    As you might imagine, responsibility for U.S. federal government functions related to industrial cybersecurity is spread across several departments and agencies. Good places to start your quest for more insight into energy sector cybersecurity include the following:

    The “Cybersecurity framework implementation guidance” from the U.S. Department of Energy includes standards, guidelines and practices to promote the protection of critical infrastructure.
    The U.S. network of oil and gas transportation and distribution pipelines is the purview of the same Transportation Security Administration responsible for security in the 440 airports of the United States. Oil and gas pipeline managers’ can look to the cybersecurity recommendations in the Transportation Security Administration’s “Pipeline security guidelines.”
    The Federal Energy Regulatory Commission (FERC) is an independent agency that regulates interstate transmission of electricity, natural gas and oil. The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s “electric reliability organization,” has developed critical infrastructure protection (CIP) cybersecurity reliability standards for electric smart grids.

    Note that while these standards are a good place to begin, following their recommendations is in no way mandatory. Moreover, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving threats.

    In addition, The SANS Institute’s “CIS critical security controls” provide guidance for implementing cybersecurity and risk management programs specifically for critical infrastructure. The SANS Institute was established in 1989 as a cooperative research and education organization. It says it is the largest source in the world for information-security training and security certification in the world.

    Besides the adoption of frameworks, energy-asset owners and operators should develop appropriate supporting management practices, including employee training, performance tracking metrics and business intelligence related to their cybersecurity program.

    Cultural aspects of security

    Energy companies must develop a risk-management culture that focuses on identifying and preventing cybersecurity vulnerabilities. This can be done in much the same way a culture for identifying and eliminating threats to physical safety of individuals and infrastructure was developed in the U.S. and Europe in the past. The cultural aspects of security are especially a matter of concern because employees are often one of the weakest links in cybersecurity.

    Reply
  5. Tomi Engdahl says:

    Police anti-ransomware warning is hotlinked to ‘ransomware.pdf’
    This (probably) isn’t a spear phishing attack but we were too afraid to verify
    https://www.theregister.co.uk/2017/05/17/ransomware_wannacrypt_how_not_to_warn_against_it/

    Official anti-ransomware advice issued by UK police to businesses can only be read by clicking on a link titled “Ransomware” which leads direct to a file helpfully named “Ransomware.pdf”.

    In case you’ve been living under a rock, large chunks of the digitised world, including most of the NHS, were, ahem, digitally disrupted by the WannaCrypt ransomware last week.

    A total of 74 countries were hit by the self-spreading cryptoware, which attempted to extort users into paying $300 in Bitcoin.

    Reply
  6. Tomi Engdahl says:

    Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts
    https://developers.slashdot.org/story/17/05/18/2042237/font-sharing-site-dafont-has-been-hacked-exposing-thousands-of-accounts

    A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports:

    Font sharing site DaFont has been hacked, exposing thousands of accounts
    Over 98 percent of the passwords were cracked, thanks to the site’s poor password security.
    http://www.zdnet.com/article/font-sharing-site-dafont-hacked-thousands-of-accounts-stolen/

    A popular font sharing site DaFont.com has been hacked, exposing the site’s entire database of user accounts.

    Usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hacker who would not divulge his name.

    The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site’s main database also contains the site’s forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site’s forums.

    Reply
  7. Tomi Engdahl says:

    Losses from reported Australian hacking incidents quadrupled in 2016: ACCC
    http://www.zdnet.com/article/losses-from-reported-australian-hacking-incidents-quadrupled-in-2016-accc/

    The consumer watchdog revealed that AU$2.9 million was reported as lost to hacking in 2016, up from a mere AU$700,000 in 2015.

    The Australian Competition and Consumer Commission (ACCC) has reported a four-fold increase in hacking scams, with AU$2.9 million lost to such activity in 2016, up from AU$700,000 in 2015.

    According to Targeting scams: Report of the ACCC on scams activity 2016, businesses bore the brunt of these scams, with over half — AU$1.7 million — being attributed to businesses.

    “While the digital economy presents many opportunities and efficiencies for businesses, it also presents significant risks,” ACCC deputy chair Delia Rickard says in the report’s foreword.

    Reply
  8. Tomi Engdahl says:

    Aaronia Drone Detection system
    http://www.aaronia.com/products/solutions/Aaronia-Drone-Detection-System/

    Real-Time RF Drone / UAV and Radar Detection System

    Tired of wasting time in testing Drone Detection Systems which does not work properly?

    Find here our latest product: The RF Drone or Radar Detection System. It is based on the Aaronia IsoLOG 3D Tracking Array Antenna, a rugged or remote-controllable Spectran V5 Real-time Spectrum Analyzer and a new Software Plugin for the RTSA Suite Software. All parts work perfectly together and allow a 24/7 monitoring and recording (full gapless data-streaming with up to 4TB/day).

    Each Sector/Antenna gets its own real-time view and is based on RF and µW detection. All views are combined to a 360° view including a 360° picture or 360° live video of the surrounding area/landscape. This gives full control over any RF emissions happening around. The system can provide an optical or audio alert if critical values are exceeded. Collect data and compare them to find out irregularities.

    The Drone Detection System saves considerable measurement time and allows very detailed information on the spreading patterns of drone emissions. The solution is compact, flexible and can be set up at any place you need to control.

    Reply
  9. Tomi Engdahl says:

    Microsoft Withheld Update That Could Have Slowed WannaCry: Report
    http://www.securityweek.com/microsoft-withheld-update-could-have-slowed-wannacry-report

    American software giant Microsoft held back from distributing a free security update that could have protected computers from the WannaCry global cyber attack, the Financial Times reported Thursday.

    In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week.

    But the software giant only sent the free security update — or patch — to users of the most recent version of the Windows 10 operating system, the report said.

    Users of older software, such as Windows XP, had to pay hefty fees for technical support, it added.

    “The high price highlights the quandary the world’s biggest software company faces as it tries to force customers to move to newer and more secure software,” it said.

    A Microsoft spokesperson based in the United States told AFP: “Microsoft offers custom support agreements as a stopgap measure” for companies that choose not to upgrade their systems.

    “To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support.”

    Reply
  10. Tomi Engdahl says:

    EU Authorities Fight Back Against “Black Box” ATM Attacks
    http://www.securityweek.com/eu-authorities-fight-back-against-black-box-atm-attacks

    Europol has announced that a total of 27 related arrests have been made since the ATM black box threat first emerged in 2015. Eleven arrests have been made in France, four in Estonia, three in the Czech Republic and Norway, and two in The Netherlands, Romania and Spain.

    A black box attack is a logical attack against cash dispensers. It requires gaining access to the inner workings of the machine, usually, notes Europol, “by drilling holes or melting.”

    Once access is achieved, the cash dispenser is disconnected from its core working, and connected instead to the hacker’s own electronic device — the so-called black box. The attacker then simply issues the necessary commands to empty the cash dispenser; an act known as ‘jackpotting’, which bypasses any need for a card or transaction authorization.

    Reply
  11. Tomi Engdahl says:

    Cyberattacks Prompt Massive Security Spending Surge
    http://www.securityweek.com/cyberattacks-prompt-massive-security-spending-surge

    The fight against cyberattacks has sparked exponential growth in global protection spending, with the cyber security market estimated at $120 billion this year, more than 30 times its size just over a decade ago.

    But even that massive figure looks set to be dwarfed within a few years, experts said, after ransomware attacks crippled computers worldwide in the past week.

    The “global cyber security market was worth $3.5 billion” in 2004, according to a study by Cyber security research firm CyberSecurity Ventures, but in 2017, “we expect it to be worth more than $120 billion”.

    In the five years ending in 2021, the firm said it expected worldwide spending on cybersecurity products and services “to eclipse $1 trillion”.

    “It has clearly been a rapidly increasing market for many years, particularly in the last two or three years,” said Gerome Billois, a cyber security expert with consulting firm Wavestone.

    Much of the growth will be spurred by massive cyber attacks like the so-called “Wannacry” ransomware that struck targets in dozens of countries, ranging from British hospitals to Russian banks.

    Reply
  12. Tomi Engdahl says:

    ATCH Act: A New Bill Designed to Prevent Occurrences Like WannaCrypt
    http://www.securityweek.com/patch-act-new-bill-designed-prevent-occurrences-wannacrypt

    Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

    Now, however, he has partial support from a bi-partisan group of lawmakers: Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). Schatz announced yesterday that they had introduced the ‘Protecting Our Ability to Counter Hacking Act of 2017′ — the PATCH Act.

    Its purpose is to establish a Vulnerability Equities Review Board with permanent members including the Secretary of Homeland Security, the Director of the FBI, the Director of National Intelligence, the Director of the CIA, the Director of the NSA, and the Secretary of Commerce — or in each case the designee thereof.

    Its effect, however, will be to seek a compromise between the moral requirement for the government to disclose vulnerabilities (Microsoft’s Digital Geneva Convention), and the government’s political expediency in stockpiling vulnerabilities for national security and deterrence purposes.

    https://www.schatz.senate.gov/imo/media/doc/BAG17434_FINAL%20PATCH.pdf

    Reply
  13. Tomi Engdahl says:

    Why Suffer the Stress of Being a Black-Hat Hacker?
    http://www.securityweek.com/why-suffer-stress-being-black-hat-hacker

    A recent National Crime Agency report analyzed by the BBC, states that the, “average age of those… arrested (for cybercrime) is 17.” Free and easy-to-use hacking tools, a sense that the crimes are victimless, and a community that lauds technical skills that aren’t appreciated by their peers are leading young people to commit virtual crime when they wouldn’t otherwise in the real world. There is one point of good news – the young “don’t seem to be motivated primarily by money, which means early intervention can be very successful.”

    If we’re being honest, though, crime pays, at least in the digital realm. The investigation and prosecution effort for the use of a stolen credit card, for example, is usually more costly than the value of the goods illegally purchased. So the hacker most often gets away without a criminal charge.

    But choosing to become a black hat hacker is not without risk.

    Free hacking tools ‘help young into cyber-crime’
    http://www.bbc.com/news/technology-39654092

    Free, easy-to-use hacking tools help many young people slip into a life of cyber-crime, according to a report.

    The National Crime Agency (NCA) has detailed the “pathways” taken by people who become criminals.

    Many started by getting involved with game-cheat websites or forums that talked about ways to change or “mod” games, its report said.

    Mentors, role models and positive opportunities could deter people from committing cyber-crime, the NCA added.

    Reply
  14. Tomi Engdahl says:

    Trump’s Cybersecurity Executive Order a Positive Step, but Just a Start
    http://www.securityweek.com/trumps-cybersecurity-executive-order-positive-step-just-start

    Trump’s Cybersecurity Executive Order Should Serve as a Starting Point, Not the Be-all-end-all for Ensuring a Comprehensive Program

    President Trump recently signed the much-awaited executive order focused on strengthening the cybersecurity of federal networks and critical infrastructure. It is a wide-ranging order that touches on everything from the need for an agency-by-agency risk assessment to dealing with outdated infrastructure, botnets, and driving a cyber educated workforce.

    At the core of the assessment process is the NIST Cybersecurity Framework, which has been broadly adopted in the private industry and government as a benchmark against which to assess their security programs.

    While it certainly does not address every nook and cranny of cybersecurity, it serves as an overarching framework and common language. Users should think of it as a starting point, but not the be-all-end-all for ensuring a comprehensive program.

    http://www.securityweek.com/organizations-challenged-cybersecurity-framework-implementation

    Reply
  15. Tomi Engdahl says:

    Cyber Risk Management: What’s Holding Us Back?
    http://www.securityweek.com/cyber-risk-management-whats-holding-us-back

    Organizations Are Struggling to Operationalize Their Knowledge of Risk

    Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management?

    Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

    However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

    Reply
  16. Tomi Engdahl says:

    An Intelligent Approach to Cure Security Fatigue
    http://www.securityweek.com/intelligent-approach-cure-security-fatigue

    Late last year, a study by the US National Institute of Standards and Technology (NIST) took an in-depth look at a phenomenon called “security fatigue.” Researchers found that a majority of individuals they interviewed (20 to 60 year olds in a variety of jobs and in rural, urban and suburban environments) experience a weariness or reluctance to deal with computer security. Being bombarded every day by an increasing number of warnings and bad news about the latest attack isn’t bolstering their resolve to deal with the bad guys. In fact, they’re feeling a sense of resignation and loss of control. That isn’t to say we should stop the awareness and education, but we need to devise better and easier ways to empower individuals to protect themselves.

    We’re seeing security fatigue on the corporate side as well, but with a twist. Organizations are growing weary of the same old stream of promises they’ve heard from security vendors for years. “We’ll help you consolidate dozens of security vendors for more effective and simpler protection.” Or, “We’ll provide a single pane of glass and all your security visibility and management headaches will go away.” But all this talk is just that – talk.

    As I’ve discussed before, in the face of rising complexity and scarce resources, organizations are looking to improve their security posture while making the best use of existing security teams and technology. How do more one-off APIs or another management interface that your security staff need to master and deploy help you reach your goals as a security organization? The answer is: they don’t. Organizations need an approach they can act on now.

    Reply
  17. Tomi Engdahl says:

    Leveraging a Secure and Robust Vendor Ecosystem
    http://www.securityweek.com/leveraging-secure-and-robust-vendor-ecosystem

    In a globally interconnected world, knowledge-based economies are shaping our future, and vendor relationships are critical to success. Global enterprises increasingly rely on hundreds, if not thousands, of third-party vendors, contractors, and systems to support business operations and achieve strategic objectives. Financial services firms outsource support and processing. Manufacturers work with suppliers, distributors, freight forwarders, and resellers around the world. Healthcare providers rely on data collectors, coders, data transmitters, document shredders, and POS vendors.

    In their 2016 Ethics & Compliance Third Party Risk Management Benchmark Report (PDF), NAVEX Global found that nearly 60% of the 400 respondents expect to increase their reliance on third-party relationships. Outsourcing operations, forming new partnerships, shifting business offshore, and implementing cloud computing services are integral to achieving business goals. Yet each of these initiatives can also introduce cyber security risk and reduce control.

    As security becomes more complex and networks more intertwined, third party risk management has become an essential part of business strategy. Third-party risk is now a boardroom discussion, especially in highly regulated industries. Many organizations rely on third party certifications such as SOC2 and ISO 27001 to mitigate risk. However, many significant risks are not programmatic, they’re in details such as how connectivity and collaboration between the organization and third party is being achieved, the infrastructure and software architectures, poorly protected ancillary systems, and other aspects which aren’t addressed in most audits.

    Whether you are creating your own program, or looking for a provider to help with some or all aspects of your program, here are five key considerations:

    1. Defining risk-based tiers of vendors – Not all vendors are equal; the level of risk varies based on criticality and risk to your operations.
    2. Assessing vendors’ security controls effectiveness – How likely is it that each of your vendors will be negatively affected by various types of threats?
    3. Addressing risk issues – When you do find a security, operational resiliency, or compliance gap, you need processes in place to proactively address this and ensure remediation or replacement of vendors who are not able to meet your standards.
    4. Understanding and addressing emerging threats – Geo-political instability; new attack vectors; evolving tools, techniques, and procedures (TTPs); industry-specific attacks; and attacks targeting a specific partner organization can introduce risk to your enterprise.
    5. Reporting to management – Third-party risk management is a boardroom topic. You need reporting mechanisms that provide management transparency to vendor risks including executive metrics and proactive security guidance from an operational and technological standpoint.

    When evaluating, implementing, or expanding third-party relationships, you need to understand your full risk profile across the entire relationship lifecycle.

    Reply
  18. Tomi Engdahl says:

    THERESA MAY TO CREATE NEW INTERNET THAT WOULD BE CONTROLLED AND REGULATED BY GOVERNMENT
    http://www.independent.co.uk/life-style/gadgets-and-tech/news/theresa-may-internet-conservatives-government-a7744176.html

    The proposals come soon after the government won the right to collect everyone’s browsing history.

    Theresa May is planning to introduce huge regulations on the way the internet works, allowing the government to decide what is said online.

    “Some people say that it is not for government to regulate when it comes to technology and the internet,” it states. “We disagree.”

    Reply
  19. Tomi Engdahl says:

    Paul Sawers / VentureBeat:
    Zomato agrees to hacker’s demand — will launch bug bounty program in exchange for stolen data deletion
    https://venturebeat.com/2017/05/19/zomata-agrees-to-hackers-demand-will-launch-bug-bounty-program-in-exchange-for-stolen-data-deletion/

    Less than 24 hours after revealing a major security breach that compromised the accounts of millions of users, restaurant search service Zomato revealed that it has engaged with the hacker responsible and has agreed to meet certain conditions in exchange for the stolen data being removed from the dark web.

    Though Zomato had sought to assure the affected users that their passwords could not easily be decrypted, it seems that was not necessarily the case, with some security experts claiming they were able to decrypt some passwords relatively quickly and others pouring scorn on Zomato’s cryptographic efforts.

    “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps,” explained Zomato’s chief technologist, Gunja Patidar. “His/her key request was that we run a healthy bug bounty program for security researchers.”

    And so that is exactly what Zomato says that it will do.

    “We are introducing a bug bounty program on Hackerone very soon,”

    While the link to the stolen data on the dark web has been removed, there is no guarantee that the data will be destroyed, of course.

    Reply
  20. Tomi Engdahl says:

    Twitter warns Vine users that email addresses and phone numbers were exposed
    Apparently getting shut down wasn’t bad enough
    https://www.theverge.com/2017/5/19/15666140/twitter-vine-user-emails-phone-numbers-exposed

    Vine as we once knew it has already been shut down, but unfortunately that doesn’t mean the information you provided to the Twitter-owned company is secure. Twitter just sent out a mass email to Vine users alerting them of a “bug” that briefly allowed third parties to view email addresses and phone numbers associated with Vine accounts. If you get the email, your information was likely exposed — though that doesn’t necessarily mean it’s being misused by anyone. The company makes no mention of any passwords having been exposed during the window that it claims lasted “less than 24 hours.” Vine has also published a Medium post on the issu

    Fixing a bug in the Vine Archive
    https://medium.com/@vine/fixing-a-bug-in-the-vine-archive-47385e44ac2

    Reply
  21. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Hackers are using Mirai-based botnets to DDoS the domain hardcoded into WannaCry in an attempt to reduce effectiveness of the kill-switch, revive the ransomware — Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off …

    Hackers Are Trying to Reignite WannaCry With Nonstop Botnet Attacks
    https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/

    Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and The New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from health care to transportation in 150 countries before an unlikely “kill-switch” in its code shut it down.

    Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

    Reply
  22. Tomi Engdahl says:

    BuzzFeed:
    UK Conservative Party election manifesto proposes stringent new regulations that would impact internet companies like Google and Facebook

    Theresa May Wants To Regulate The Internet
    https://www.buzzfeed.com/jimwaterson/theresa-may-wants-to-regulate-the-internet?utm_term=.kk9BWEzXk2#.bb5X59wPo6

    The Conservative manifesto sets out a distinct vision for the future of the internet in which an anarchic world run by private companies is supplemented by substantial government intervention.

    Reply
  23. Tomi Engdahl says:

    11 year old boy hacks Bluetooth devices using Raspberry Pi
    https://www.techworm.net/2017/05/11-year-old-boy-hacks-bluetooth-devices-using-raspberry-pi.html

    An audience of security experts attending a cybersecurity conference at the World Forum in The Hague (The Netherlands) on Tuesday were shocked when a demonstration done by an 11-year-old “cyber ninja” showed the dismal cyber security standards that are prevailing in technology. He hacked into the Bluetooth devices to manipulate a teddy bear and show how interconnected smart toys “can be weaponised”.

    Reply
  24. Tomi Engdahl says:

    Yuji Nakamura / Bloomberg:
    Faced with $69M bitcoin theft, Bitfinex has dodged bankruptcy and repaid customers after issuing IOU tokens

    Inside Bitfinex’s Comeback From a $69 Million Bitcoin Heist
    https://www.bloomberg.com/news/articles/2017-05-17/inside-bitfinex-s-comeback-from-a-69-million-bitcoin-heist

    After hackers stole $69 million from Bitfinex last year, the bitcoin exchange’s fate seemed sealed: lawsuits, bankruptcy and years of liquidation proceedings.

    That’s what happened to Mt. Gox, the high-profile marketplace for trading the virtual currency, which lost $480 million. There were also other smaller implosions such as Cointrader and Bitcurex.

    But against the odds, Bitfinex pulled out of its spiral dive, announcing last month that all customers were repaid.

    thieves had walked away with about 57 percent of bitcoin deposits. Even though the virtual currency exists as software, it can be stolen and transactions are irreversible. In the aftermath, bitcoin briefly slumped 15 percent against the dollar.

    A key concern was whether another large bitcoin exchange implosion would undermine the virtual currency’s ecosystem and trigger a bear market like the one that followed Mt. Gox’s demise in 2014.

    Still, it might be too early for Bitfinex to celebrate.

    While it’s not clear whether Bitfinex’s recovery strategy is one that will be adopted for another crisis, the idea of using tradeable tokens is catching on.

    tokens are gaining in popularity because they are unregulated and can be immediately bought and sold.

    Reply
  25. Tomi Engdahl says:

    TechCrunch:
    As Bitcoin crosses $2,000, it also now accounts for less then half of total cryptocurrencies market cap, following growth of Ethereum and Ripple — May 20, 2017, 12:46 pmMay 20, 2017, 3:50 pm — The world’s most popular cryptocurrency is now worth over $2,000 per coin.

    Bitcoin just surged past $2,000 for the first time
    https://techcrunch.com/2017/05/20/btc2k/

    The world’s most popular cryptocurrency is now worth over $2,000 per coin. That’s according to a range of bitcoin exchanges, including Coinbase and Kraken. That valuation puts the total market cap of bitcoin — the total number of coins in circulation — at $32.92 billion.

    But bitcoin isn’t the only cryptocurrency on the rise. Ripple, the centralized currency that is aiming to be a settlement protocol for major banks, has surged more than 10x, or 1000% in under a month making it now the second most valuable cryptocurrency (only behind bitcoin) in circulation.

    Similarly, ethereum, a cryptocurrency designed to function as a blockchain-based computing platform for developers, is now trading $130 per coin with a total market cap of just under $12B, which represents a a little more than a 2x increase over the last month.

    Today the total market cap of bitcoin represents just 47% of total cryptocurrencies – up until a few months ago it consistently hovered around 80%.

    Reply
  26. Tomi Engdahl says:

    APT3 Threat Group a Contractor for Chinese Intelligence Agency
    http://www.darkreading.com/attacks-breaches/apt3-threat-group-a-contractor-for-chinese-intelligence-agency/d/d-id/1328913

    The APT3 hacker group that has been active since at least 2010 and is believed to have stolen intellectual property and confidential data from numerous Western government and military targets is actually a contractor for the Chinese Ministry of State Security (MSS).

    Reply
  27. Tomi Engdahl says:

    HTTPs Phishing sites are increasing, it is the reaction to browser improvements
    http://securityaffairs.co/wordpress/59238/cyber-crime/https-phishing-sites.html

    The number HTTPs Phishing sites continues to increase, it is the response of phishers to the improvements implemented by Browser-makers.

    Reply
  28. Tomi Engdahl says:

    Financial Firms Struggle on Compliance for non-Email Communications
    http://www.securityweek.com/financial-firms-struggle-compliance-non-email-communications

    Financial services is perhaps the most regulated sector in industry. SEC, FINRA and Gramm-Leach-Bliley are merely the better known of a raft of regulations. Key to all of them is the requirement to manage and retain communications. But just as regulations tend to increase and become more complex, so too have the different methods of communication that need to be monitored ballooned. What was once just email now includes SMS, public IM, a variety of social media and more. At the same time, regulators are becoming more active.

    The 2017 Electronic Communications Compliance Survey (PDF) from Smarsh demonstrates continuing industry concern over its ability to capture and retain relevant staff communications, especially from mobile devices. Interestingly, Europe’s GDPR will add to the regulation mix, but will expand the industry coverage from finserv to any organization doing business with Europe. While finserv regulations are concerned with financial data in communications, GDPR is concerned with personal data in communications. Different detail, but same basic problem: the control of regulated data getting dispersed in uncontrolled communications.

    http://www2.smarsh.com/l/9442/2017-compliance-survey-report-/9j4t3q

    Reply
  29. Tomi Engdahl says:

    Terror Exploit Kit Gets Fingerprinting Capabilities
    http://www.securityweek.com/terror-exploit-kit-gets-fingerprinting-capabilities

    Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

    Terror was initially detailed in January this year, when security researchers observed that it was targeting vulnerabilities with exploits taken from Metasploit or from either Sundown or Hunter EKs. Terror activity increased last month, after the Sundown EK inexplicably disappeared from the threat landscape.

    Reply
  30. Tomi Engdahl says:

    WikiLeaks Details Malware Made by CIA and U.S. Security Firm
    http://www.securityweek.com/wikileaks-details-malware-made-cia-and-us-security-firm

    WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

    Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

    A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

    https://wikileaks.org/vault7/releases/#Athena

    Reply
  31. Tomi Engdahl says:

    Google Launches Security Services for Android
    http://www.securityweek.com/google-launches-security-services-android

    Google this week launched a set of security services designed to bring improved protection and visibility for Android users.

    Dubbed Google Play Protect, the new product is built into all devices with Google Play and should provide “comprehensive security services for Android,” the Internet giant says.

    “Whether you’re checking email for work, playing Pokémon Go with your kids or watching your favorite movie, confidence in the security of your device and data is important,” Edward Cunningham, Product Manager, Android Security, notes.

    “We know you want to be confident that your Android devices are safe and secure, which is why we are doubling down on our commitment to security,” he continues.

    There are 2 billion active Android devices globally and Google performs more than 50 billion application scans every day to keep them safe.

    Keeping you safe with Google Play Protect
    https://blog.google/products/android/google-play-protect/

    We know you want to be confident that your Android devices are safe and secure, which is why we are doubling down on our commitment to security. Today we introduced Google Play Protect—Google’s comprehensive security services for Android, providing powerful new protections and greater visibility into your device security. Play Protect is built into every device with Google Play, is always updating, and automatically takes action to keep your data and device safe, so you don’t have to lift a finger.

    Reply
  32. Tomi Engdahl says:

    Number of Phishing Sites Using HTTPS Soars
    http://www.securityweek.com/number-phishing-sites-using-https-soars

    The number of phishing websites using HTTPS has increased considerably over the past few months since Firefox and Chrome have started warning users when they access login pages that are not secure.

    Internet security services firm Netcraft reported on Wednesday that, since late January, the proportion of phishing sites using HTTPS increased from roughly 5% to 15%.

    Reply
  33. Tomi Engdahl says:

    WordPress 4.7.5 Patches Six Vulnerabilities
    http://www.securityweek.com/wordpress-475-patches-six-vulnerabilities

    WordPress 4.7.5 patches six vulnerabilities affecting version 4.7.4 and earlier, including cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.

    The CSRF flaw patched in the latest WordPress release was reported by Yorick Koster of Netherlands-based Securify. The security hole was discovered in the summer of 2016 as part of a WordPress hacking competition run by Securify, but it was patched only now by WordPress developers.

    “This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker,” Securify wrote in its advisory.

    Reply
  34. Tomi Engdahl says:

    Code Stolen After Developer Installed Trojanized App
    http://www.securityweek.com/code-stolen-after-developer-installed-trojanized-app

    In a perfect example of how a breach could have an unexpected impact, application builder Panic on Wednesday announced that it experienced source code theft after a developer unknowingly installed a Trojanized application in early May.

    The specific app was HandBrake, a video converting tool that experienced a breach in early May, when one of its download mirror servers was compromised and configured to distribute a remote administration Trojan (RAT) for Mac computers.

    After discovering the incident, HandBrake posted a security alert on its website, informing users that those who downloaded the application between May 2 and May 6 might have been infected. Only the download mirror at download.handbrake.fr had been compromised, but all users were advised to verify their installation.

    Reply
  35. Tomi Engdahl says:

    An Intelligent Approach to Cure Security Fatigue
    http://www.securityweek.com/intelligent-approach-cure-security-fatigue

    Late last year, a study by the US National Institute of Standards and Technology (NIST) took an in-depth look at a phenomenon called “security fatigue.” Researchers found that a majority of individuals they interviewed (20 to 60 year olds in a variety of jobs and in rural, urban and suburban environments) experience a weariness or reluctance to deal with computer security. Being bombarded every day by an increasing number of warnings and bad news about the latest attack isn’t bolstering their resolve to deal with the bad guys. In fact, they’re feeling a sense of resignation and loss of control. That isn’t to say we should stop the awareness and education, but we need to devise better and easier ways to empower individuals to protect themselves.

    We’re seeing security fatigue on the corporate side as well, but with a twist. Organizations are growing weary of the same old stream of promises they’ve heard from security vendors for years. “We’ll help you consolidate dozens of security vendors for more effective and simpler protection.” Or, “We’ll provide a single pane of glass and all your security visibility and management headaches will go away.” But all this talk is just that – talk.

    As I’ve discussed before, in the face of rising complexity and scarce resources, organizations are looking to improve their security posture while making the best use of existing security teams and technology.

    Reply
  36. Tomi Engdahl says:

    Exclusive: North Korea’s Unit 180, the cyber warfare cell that worries the West
    http://www.reuters.com/article/us-cyber-northkorea-exclusive-idUSKCN18H020

    North Korea’s main spy agency has a special cell called Unit 180 that is likely to have launched some of its most daring and successful cyber attacks, according to defectors, officials and internet security experts.

    Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries this month. Pyongyang has called the allegation “ridiculous”.

    The crux of the allegations against North Korea is its connection to a hacking group called Lazarus that is linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio. The U.S. government has blamed North Korea for the Sony hack and some U.S. officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.

    Reply
  37. Tomi Engdahl says:

    Netgear ‘fixes’ router by adding phone-home features that record your IP and MAC address
    Yeah, that’ll be secure for sure
    https://www.theregister.co.uk/2017/05/21/netgear_updates_router_with_phone_home_feature/

    Netgear NightHawk R7000 users who ran last week’s firmware upgrade need to check their settings, because the company added a remote data collection feature to the units.

    A sharp-eyed user posted the T&Cs change to Slashdot.

    Netgear lumps the slurp as routine diagnostic data.

    “Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.”

    Much of this is probably benign, but posters to the Slashdot thread were concerned about IP address and MAC address being collected by the company.

    The good news is that you can turn it off: the instructions are here.

    It’s probably unlikely that any significant number of users will do so, given the number of people who never get around to changing their default passwords.

    Reply
  38. Tomi Engdahl says:

    LastPass now supports 2FA auth, completely undermines 2FA auth
    Just keep putting those eggs in the one basket, friends
    https://www.theregister.co.uk/2017/05/19/lastpass_adds_twofactor_auth_completely_undermines_twofactor_auth/

    Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers.

    Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone is trying to do so. A crook needs to know not only a victim’s username and password, but also have their two-factor code to log in.

    However, many companies, including Google, Facebook and Dropbox also offer the ability to generate one-off access codes from a device or app. You usually scan a barcode unique to your account, and this is used to calculate a sequence of access codes, with a new code every minute or so. When you log in, you provide your username and password, hand over that minute’s code, and in you go if it’s all correct.

    And that’s where LastPass comes in. LastPass Authenticator supports any service that offers a standard Time-based One-Time Password (TOTP) algorithm and will store the seed online in your LastPass account.

    Great. Or not.

    Because if someone gets into your LastPass account, it undermines the very advantage of having two-factor auth: that there is a second level of authentication using a different device.

    Using a password manager piece is preferable over using a small number of the same passwords for everything because you are able – theoretically at least – to use a different and more complex password for every service.

    But it risks creating of a single point of failure – everything is there. By putting two-factor auth codes in the same piece of software, that single point of failure becomes even more stark. It is placing eggs on top of an already egg-filled basket.

    Reply
  39. Tomi Engdahl says:

    Nitasha Tiku / Wired:
    How Facebook conducted research, commissioned by an advertiser, on minors’ emotional states, which was then shared in a presentation to potential advertisers

    Get Ready for the Next Big Privacy Backlash Against Facebook
    https://www.wired.com/2017/05/welcome-next-phase-facebook-backlash/

    Data mining is such a prosaic part of our online lives that it’s hard to sustain consumer interest in it, much less outrage. The modern condition means constantly clicking against our better judgement. We go to bed anxious about the surveillance apparatus lurking just beneath our social media feeds, then wake up to mindlessly scroll, Like, Heart, Wow, and Fave another day.

    But earlier this month, The Australian uncovered something that felt like a breach in the social contract: a leaked confidential document prepared by Facebook that revealed the company had offered advertisers the opportunity to target 6.4 million younger users, some only 14 years old, during moments of psychological vulnerability, such as when they felt “worthless,” “insecure,” “stressed,” “defeated,” “anxious,” and like a “failure.”

    The 23-page document had been prepared for a potential advertiser and highlighted Facebook’s ability to micro-target ads down to “moments when young people need a confidence boost.”

    Reply
  40. Tomi Engdahl says:

    Any half-decent hacker could break into Mar-a-Lago
    http://www.businessinsider.com/any-half-decent-hacker-could-break-into-mar-a-lago-2017-5?r=US&IR=T&IR=T

    Two weeks ago, on a sparkling spring morning, we went trawling along Florida’s coastal waterway. But not for fish.

    We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

    A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

    We have also visited two of President Donald Trump’s other family-run retreats

    Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

    The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

    “Those networks all have to be crawling with foreign intruders, not just ProPublica,”

    Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.

    U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain’s National Health Service to Russia’s Interior Ministry.

    Our experience also indicates that it’s easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded.

    Even after spending millions of dollars on security, the White House admitted in 2015that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter.

    It is not clear whether Trump connects to the insecure networks while at his family’s properties. When he travels, the president is provided with portable secure communications equipment.

    The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.

    In a 2014 presentation, a company sales director warned that the club industry as a whole is “too lax” in managing and protecting passwords. There has been a “rising number of attacks on club websites over the last two years,” according to the presentation. Clubessential “performed [an] audit of security in the club industry” and “found thousands of sensitive documents from clubs exposed on [the] Internet,” such as “lists of members and staff, and their contact info; board minutes, financial statements, etc.”

    Reply
  41. Tomi Engdahl says:

    Exclusive: Hackers hit Russian bank customers, planned international cyber raids
    http://www.reuters.com/article/us-russia-cyber-banks-idUSKBN18I0VE?feedType=RSS&feedName=topNews&utm_source=twitter&utm_medium=Social

    Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.

    Their campaign raised a relatively small sum by cyber-crime standards – more than 50 million roubles ($892,000) – but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

    Russia’s relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers.

    Reply
  42. Tomi Engdahl says:

    VMware Patches Workstation Vulnerabilities
    http://www.securityweek.com/vmware-patches-workstation-vulnerabilities

    VMware informed customers last week that updates released for the Linux and Windows versions of Workstation patch privilege escalation and denial-of-service (DoS) vulnerabilities.

    Reply
  43. Tomi Engdahl says:

    Jack Stubbs / Reuters:
    Sources: Russian police have arrested 16 in banking malware scheme that infected 1M+ Android devices in Russia, netted $892K, and had begun expanding to Europe — Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning …

    Hackers hit Russian bank customers, planned international cyber raids
    http://uk.reuters.com/article/us-russia-cyber-banks-idUKKBN18I0VE

    Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.

    Their campaign raised a relatively small sum by cyber-crime standards – more than 50 million roubles ($892,000) – but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

    Reply
  44. Tomi Engdahl says:

    Companies Stockpiling Bitcoin in Anticipation of Ransomware Attacks
    by PHIL MCCAUSLAND
    http://www.nbcnews.com/storyline/hacking-of-america/companies-stockpiling-bitcoin-anticipation-ransomware-attacks-n761316

    In the age of cyber threats, companies are stockpiling digital currency in preparation of future “ransomware” attacks — which have grown exponentially over the past few years.

    The most recent attack, known as “WannaCry,” took hundreds of thousands of computers’ data files hostage unless users paid a $300 to $600 ransom via Bitcoin, a popular digital currency. Now many companies are maintaining a stash of the digital cash because of the rise of ransomware, according to cybersecurity experts and firms.

    According to research conducted by Citrix, about a third of British companies in 2016 retained a cache of digital monies as part of a strategy to “regain access to important intellectual property or business critical data.” The same examination also found that half of those British businesses didn’t back up their data once a day, a major fail-safe against such attacks.

    “Part of the everyday ransomware demand is Bitcoin, because it’s easy to get and it’s the currency of choice for the criminal underground,”

    Cybercriminals prefer Bitcoin as payment because of their near-anonymous nature. Any transaction can be seen via the currency’s open ledger, but names don’t have to be attached. It also requires no government or banking intermediary, and it works as simply as a file transfer between two people or organizations.

    Reply
  45. Tomi Engdahl says:

    S#!T Some Security Vendors Claim
    http://www.securityweek.com/st-some-security-vendors-claim

    The information security space is a hot, fast-moving market; and with that heat and speed comes both good and bad.

    Demand for IT security skills is outstripping the market by more than a million job openings according to some experts, which means that, along with a notoriously small community of genuine experts who make a living working to protect (or exploit) high value data, the Peter Principle is often in full effect. As people rise to the level of their incompetence, they bring with them a lot of myth and misinformation—fear, uncertainty and doubt sown to sell products or preserve job security.

    I’ve talked with a lot of frustrated CISOs who have to deal with the bluster.

    Don’t Believe The Hype:

    Buzzwords are the bane of the CISO’s existence. Whatever the latest trend is, every vendor tries to figure out a way to hitch their wagon to that star, whether it is machine learning, artificial intelligence, behavioral analytics, orchestration or whatever.

    “The problem with buzzword bingo is that it diminishes the truly innovative work being done by a lot of good security companies who aren’t chasing trends but are actually solving problems,” one CISO told me.

    Out of Alignment:

    A good technical sales representative knows their product and knows how to listen. Sometimes the CISO will encounter a pitch that doesn’t quite fit the product.
    “Good security pitches start with a vendor that understands its product strengths and provides an honest assessment of how the solution aligns with customer needs,” the CISO continued. “A good pitch also includes fresh, unique approaches to existing problems.”

    To Thine Own Self Be True:

    A CISO’s mandate requires that they understand the makeup of their organization in order to assess and address risk. That means knowing the technical environment, how data moves within the systems, industry-specific threats and regulations and company culture. Once this knowledge has been acquired, a meaningful strategy can be drafted for the organization’s needs.

    Separating Fact from Fiction

    What’s the best way to separate vendor facts from fiction?

    Once you put the vendor to the test, a CISO said, the pretenders are easy to spot.

    “When you start asking specific questions you find a lot of vaporware with no demo, or fancy interfaces being presented as new and novel security solutions with nothing under the hood. I am still surprised at the number of companies that make the effort to get in for a pitch but have no practical architecture for any feasible deployment in an existing environment.”

    Another way is to “play the hacker.” My colleague, Itzik Kotler, CTO and co-founder at SafeBreach, states that, to not fall for snake oil claims, it is important to gain the hacker’s perspective. “By understanding what is possible from an adversary, you can better judge your defenses and controls, and quantify what’s working.” In other words, get your red team or “automated breach and attack simulation technologies” into the mix to test the claims from vendors.

    The lesson for the CISO community—both the newbies and the grizzled old veterans—is to make the effort to stay on top of state-of-the-art for our industry.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*